The people behind the Maze ransomware are pushing through with their threats on victims to post stolen data during ransomware attacks when the ransom is not paid.

In December, Southwire based in Carrollton, GA declined to pay the threat actors their ransom demand of 200 BTC ($1,664,320). Consequently, the threat actors published some of the victim’s stolen data. The wire and cable manufacturer filed a case in the Northern District of Georgia versus the Maze group as well as the ISP that hosted the Maze group’s website. Southwire won the case leading to the shutdown of the website; but after a few days, the website was up again with another hosting provider.

The webpages listed the names of the businesses the group attacked that did not pay the ransom demand, together with some of their stolen data.

One company is Medical Diagnostic Laboratories (MDLab) in New Jersey. The Maze Team attacked MD Lab on December 2, 2019. Though MD Lab contacted the Maze team, negotiations did not end with a ransom payment.

The Maze website stated that there were 231 workstations encrypted during the attack. Because MD Lab did not pay the ransom, the Maze team published 9.5GB of private research data owned by the company, which includes immunology research. Afterward, the Maze Team put an ad on a hacking forum to sell the stolen data in an effort to start the negotiations with the company again. Bleeping Computer reported that the Maze Team is demanding a total ransom payment of 200 BTC for the 100GB of data stolen during the attack – 100 BTC ($832,880) for the file decryption keys files and 100 BTC for destroying the stolen information.

In the past, attackers have issued threats to publish stolen data during ransomware attacks, but none have actually executed the threats until the Maze gang began publishing stolen data in December 2019. At present, the attackers’ website lists 29 companies that have not paid, alongside samples of their stolen data.

Early in January 2020, the Center for Facial Restoration, Inc. reported having a ransomware attack similar to the November 8, 2019 ransomware attack. The threat actors stole patient information prior to deploying ransomware and demanded ransom payments from the healthcare provider and from 10 to 20 patients. It is believed that the attackers stole the photos and personal data of up to 3,500 people.

Stealing data involves gaining access to a network by the attackers, searching for sensitive information and exfiltrating it without detection. This type of attack requires far more skill to execute compared to a regular ransomware attack. Nevertheless, these data theft cases are becoming prevalent. A number of ransomware operators, such as the Nemty and Sodinokibi gangs, have already used this strategy and have told victims that they will publish or sell their stolen information to force them to pay.